LinkedIn Secretly Scans Browser Extensions, Collects Sensitive Data Without Disclosure
What Happened — LinkedIn is reportedly scanning users’ browsers on every click to enumerate more than 6,000 installed extensions. The data harvested can reveal job‑search activity, religious affiliation, neuro‑diversity indicators and other personal traits, none of which appear in LinkedIn’s public privacy policy.
Why It Matters for TPRM —
- Un‑consented data collection expands the attack surface for third‑party risk assessments.
- Hidden profiling can trigger regulatory scrutiny (e.g., GDPR, CCPA) for organizations that rely on LinkedIn for recruiting or marketing.
- The technique demonstrates how a “trusted” SaaS platform can silently harvest metadata, raising concerns for any supply‑chain relationship that includes LinkedIn integration.
Who Is Affected — Professional services, recruitment firms, technology SaaS providers, and any enterprise that permits employee LinkedIn use on corporate devices.
Recommended Actions —
- Conduct a privacy‑impact review of LinkedIn usage across your organization.
- Enforce browser policies that block extension enumeration scripts or limit LinkedIn to managed browsers.
- Update vendor risk questionnaires to include questions on undisclosed data‑collection practices.
- Monitor for regulatory guidance on implicit profiling by social‑media platforms.
Technical Notes — The scanning is performed via client‑side JavaScript that queries the navigator.plugins and chrome.management APIs, effectively fingerprinting installed extensions. No CVE is cited; the issue stems from a design choice rather than a vulnerability. Data types inferred include employment intent, religious affiliation, and neuro‑diversity indicators. Source: Smashing Security Podcast #462 – Graham Cluley